Timing is Everything

[major_clanger]

This week's topic in my IT Law course is - wait for it - data protection.

As part of my homework, I've just read the Data Protection Act (yes, the exciting, sexy life of an IP/IT lawyer-to-be!). Schedule 1, Article 7:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

Schedule 2 amplifies this as follows:

"Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b)the nature of the data to be protected.

The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data."

I'll leave it as an exercise for the reader to comment on whether bunging a CD with 25 million records on it in the routine mail was either use of suitable security measures or the act of a reliable employee.

Comments

[purplecthulhu.livejournal.com]

The synchronicity between your different topics and items in the news is getting worrying.

Could you warn us about upcoming topics so we can take appropriate precautions, especially if any of them involve alien invasions, Cthulhuoid horrors or the end of civilization?

[major-clanger.livejournal.com]

Well, next week we're doing Online Privacy, so presumably LJ will inadvertently make all our posts public :-)

Semester 2 topics are currently scheduled as follows:

Week 1 IP protection for software
Week 2 Open Licences
Week 3 Intellectual Property in Cyberspace 2: P2P and downloading
Week 4 Digital Rights Management
Week 5 Trade Marks, the Internet and Domain Names
Week 6 Web 2.0
Week 7 Competition
Week 8 Human Rights
Week 9 Cybercrime (class exercise)
Week 10 Virtual Law

That should cover most angles...

[purplecthulhu.livejournal.com]

Okay, let's get this scenario together...

Up until week 6 there'll be a series of government and corporate attacks on open source and creative commons licenses, culminating in a trade-mark-based attack on the internet as a whole with most domain names being taken off line in the name of preventing file sharing and IP theft.

After that the privatized national database systems maintained by different companies will be cross linked via an enterprising FaceBook programmer allowing rampant abuse of human rights by both government and corporations and mass exploitation of security loopholes by organised and disorganised online criminals.

But in the end, the law rides to our rescue as major_clanger takes down the evil corporate instruments that have been set up in SecondLife.

You can tell I've been awake for rather too long, can't you?

[timill]

Week 9 Cybercrime (class exercise)

Well, that's one way of funding the course...

[redbird]

Part of the question is, always, the relative risks of deliberate theft (or, in this case, other forms of intercepting data if it's not on a CD) and accidental loss. I think, in this case, the mistake was putting all the data on a CD and turning it over to any courier service, whether the post office or an armored car company.

There are always exceptions: mailing the Hope Diamond was a reasonable choice precisely because nobody expected it. And no system is 100% safe against accident, but fire damage is irrelevant here, because they can make another CD.

[cuddles-batcave.livejournal.com]

The official carrier for the missing data was TNT.

Not surprised that it was just posted as 'standard': not registered, special delivery, proof of delivery or anything like that. So, no way to track it or insure it. Grannies I can understand but an official H.M. Government office? Well, okay... it seems to go without saying these days.

[pjc50.livejournal.com]

Of course, no charges will be brought against anyone involved :(

[nojay.livejournal.com]

If said employee wasn't senior enough to make the decision to post the database via a courier why was he/she permitted access to it in the first place?

It begs the question of just how many HMRC staff have access to these sorts of datasets other than in very controlled circumstances. How low down the totem pole can you go before permissions to copy and burn the entire 25 MILLION record dataset are refused? The tea-lady?

I do contract IT engineering work for financial companies, big ones. I've got privileged accounts on their main data systems but I'm not allowed anywhere near the real data. For one thing, serious amounts of money are involved and for another there are laws with teeth in them to ensure the financials look after personal data very carefully. It seems the Government in their wisdom have not applied the strictness they demand of commercial entities to their own endeavours. This bodes ill, of course, for the ID scheme but it also should give pause to those supporting stricter passport rules etc.

[non-trivial.livejournal.com]

Doesn't the government have its own dispatch service? I'd have thought that transporting data of this kind would be precisely what it's for.